Why is MFA required for cybersecurity insurance?
May 16, 2022 •
Here at Cyphercor, we’ve been diving deeper into cyber security insurance and how MFA plays a big role in acquiring cyber insurance for new clients, or renewing an existing insurance policy for your company. As we’ve reported, implementing MFA is now a mandatory requirement to qualify for most cyber insurance policies available on the market.
Cybersecurity insurance has been around since 1990 but has recently become popular, and requiring MFA has recently been introduced as a way to mitigate risk and losses for both companies and insurance providers. 
Whether you’re purchasing a new policy or looking to renew your existing policy, it’s likely that you’ll be deemed ineligible if there is no MFA implemented at the very least on your remote access functions, email, and privileged accounts.
If you’re looking to get cyber insurance and are being asked about your company’s MFA implementation policies, you may be asking: why is MFA all of a sudden a top priority for insurance policies?
First, let’s put that question into the context of the last couple years. As we’ve explained before, during the pandemic there has been a sharp rise in remote working for companies, and consequently ransomware and phishing attacks.
A great example of this is last year’s Colonial Pipeline ransomware attack. Colonial Pipeline filed a claim worth $4.4 million crypto currency ransom to its insurance provider after a massive data breach — caused by a lack of MFA — shut down operations for several days. The government was able to recover only half of the ransom payment amount, about $2.3 million.
As cyber insurance was becoming more popular as a response to these kinds of massive cyber attacks, as well as smaller attacks on smaller businesses, insurers were feeling the hit more than anyone else. With losses massively outpacing premiums, insurance companies began drafting minimum requirements and controls for the companies they insured to have in place, and MFA emerged as a top priority.
Insurance companies weren’t the only ones looking to MFA to solve the problems of ransomware. Shortly after the Colonial Pipeline attack, an executive order came out from the White House, ordering that an MFA solution needs to be put in place for all government agencies and other sweeping regulations requiring businesses in many other industries to implement MFA as well.
But you still may be asking — why? What’s so special about MFA anyways?
The true answer, boiled down to its roots, is this: passwords aren’t good enough anymore.
As CEO Diego Matute talked about in our webinar on cyber insurance, according to Verizon and their annual data report, 61% of breaches that happen usually involve the takeover of weaker passwords. The average user uses anywhere from 3-5 of the same passwords for all of their accounts. The biggest threat facing organizations is account takeover through these weak and/or re-used passwords.
Remember that multi-factor authentication means that a user needs to show two or more proofs of identity beyond the standard username and password, that span three identity dimensions: something you know, something you have, and something you are.
MFA by itself is not a one and done solution. Although it does help lower your cyber risk, it’s helpful to think of it as an added layer of security protection, and cyber insurance is a great way to further protect yourself from the risk of cyber crime.
Whether you’re a small business or large enterprise, cyber insurance policies can vary in terms of coverage, and can include a variety of features and coverages including:
- Initial breach investigation
- Incident response and investigation
- Ransomware payments
- Legal expenses and defense
- Crisis Management
That’s why we’ve begun partnering with cyber insurers to provide MFA services directly to where companies need it most.
There’s plenty of benefits to implementing an MFA solution alongside cyber insurance, and LoginTC is a strong, simple, and secure MFA solution that connects seamlessly to your network infrastructure and works in tandem with your insurance to prevent and protect you from risk. We have helped businesses worldwide secure their data and qualify for cyber insurance.
Contact us today for more information.